Where this Regulation does not harmonise administrative penalties or where necessary in other cases, for example in cases of serious infringements of this Regulation, Member States should implement a system which provides for effective, proportionate and dissuasive penalties. 2The nature of such penalties, criminal or administrative, should be determined by Member State law.
Recitals
- ▼Recitals (173)
- Recital 1 : Data protection as a fundamental right
- Recital 2 : Respect of the fundamental rights and freedoms
- Recital 3 : Directive 95/46/EC harmonisation
- Recital 4 : Data protection in balance with other fundamental rights
- Recital 5 : Cooperation between Member States to exchange personal data
- Recital 6 : Ensuring a high level of data protection despite the increased exchange of data
- Recital 7 : The framework is based on control and certainty
- Recital 8 : Adoption into national law
- Recital 9 : Different standards of protection by the Directive 95/46/EC
- Recital 10 : Harmonised level of data protection despite national scope
- Recital 11 : Harmonisation of the powers and sanctions
- Recital 12 : Authorization of the European Parliament and the Council
- Recital 13 : Taking account of micro, small and medium-sized enterprises
- Recital 14 : Not applicable to legal persons
- Recital 15 : Technology neutrality
- Recital 16 : Not applicable to activities regarding national and common security
- Recital 17 : Adaptation of Regulation (EC) No 45/2001
- Recital 18 : Not applicable to personal or household activities
- Recital 19 : Not applicable to criminal prosecution
- Recital 20 : Respecting the independence of the judiciary
- Recital 21 : Liability rules of intermediary service providers shall remain unaffected
- Recital 22 : Processing by an establishment
- Recital 23 : Applicable to processors not established in the Union if data subjects within the Union are targeted
- Recital 24 : Applicable to processors not established in the Union if data subjects within the Union are profiled
- Recital 25 : Applicable to processors due to international law
- Recital 26 : Not applicable to anonymous data
- Recital 27 : Not applicable to data of deceased persons
- Recital 28 : Introduction of pseudonymisation
- Recital 29 : Pseudonymisation at the same controller
- Recital 30 : Online identifiers for profiling and identification
- Recital 31 : Not applicable to public authorities in connection with their official tasks
- Recital 32 : Conditions for consent
- Recital 33 : Consent to certain areas of scientific research
- Recital 34 : Genetic data
- Recital 35 : Health data
- Recital 36 : Determination of the main establishment
- Recital 37 : Enterprise group
- Recital 38 : Special protection of children's personal data
- Recital 39 : Principles of data processing
- Recital 40 : Lawfulness of data processing
- Recital 41 : Legal basis or legislative measures
- Recital 42 : Burden of proof and requirements for consent
- Recital 43 : Freely given consent
- Recital 44 : Performance of a contract
- Recital 45 : Fulfillment of legal obligations
- Recital 46 : Vital interests of the data subject
- Recital 47 : Overriding legitimate interest
- Recital 48 : Overriding legitimate interest within group of undertakings
- Recital 49 : Network and information security as overriding legitimate interest
- Recital 50 : Further processing of personal data
- Recital 51 : Protecting sensitive personal data
- Recital 52 : Exceptions to the prohibition on processing special categories of personal data
- Recital 53 : Processing of sensitive data in health and social sector
- Recital 54 : Processing of sensitive data in public health sector
- Recital 55 : Public interest in processing by official authorities for objectives of recognized religious communities
- Recital 56 : Processing personal data on people's political opinions by parties
- Recital 57 : Additional data for identification purposes
- Recital 58 : The principle of transparency
- Recital 59 : Procedures for the exercise of the rights of the data subjects
- Recital 60 : Information obligation
- Recital 61 : Time of information
- Recital 62 : Exceptions to the obligation to provide information
- Recital 63 : Identity verification
- Recital 64 : Right of access
- Recital 65 : Right of rectification and erasure
- Recital 66 : Right to be forgotten
- Recital 67 : Restriction of processing
- Recital 68 : Right of data portability
- Recital 69 : Right to object
- Recital 70 : Right to object to direct marketing
- Recital 71 : Profiling
- Recital 72 : Guidance of the European Data Protection Board regarding profiling
- Recital 73 : Restrictions of rights and principles
- Recital 74 : Responsibility and liability of the controller
- Recital 75 : Risks to the rights and freedoms of natural persons
- Recital 76 : Risk assessment
- Recital 77 : Risk assessment guidelines
- Recital 78 : Appropriate technical and organisational measures
- Recital 79 : Allocation of the responsibilities
- Recital 80 : Designation of a representative
- Recital 81 : The use of processors
- Recital 82 : Record of processing activities
- Recital 83 : Security of processing
- Recital 84 : Risk evaluation and impact assessment
- Recital 85 : Notification obligation of breaches to the supervisory authority
- Recital 86 : Notification of data subjects in case of data breaches
- Recital 87 : Promptness of reporting / notification
- Recital 88 : Format and procedures of the notification
- Recital 89 : Elimination of the general reporting requirement
- Recital 90 : Data protection impact assessement
- Recital 91: Necessity of a data protection impact assessment
- Recital 92: Broader data protection impact assessment
- Recital 93: Data protection impact assessment at authorities
- Recital 94: Consultation of the supervisory authority
- Recital 95: Support by the processor
- Recital 96: Consultation of the supervisory authority in the course of a legislative process
- Recital 97: Data protection officer
- Recital 98: Preparation of codes of conduct by organisations and associations
- Recital 99: Consultation of stakeholders and data subjects in the development of codes of conduct
- Recital 100: Certification
- Recital 101: General principles for international data transfers
- Recital 102: International agreements for an appropriate level of data protection
- Recital 103: Appropriate level of data protection based on an adequacy decision
- Recital 104: Criteria for an adequacy decision
- Recital 105: Consideration of international agreements for an adequacy decision
- Recital 106: Monitoring and periodic review of the level of data protection
- Recital 107: Amendment, revocation and suspension of adequacy decisions
- Recital 108: Appropriate safeguards
- Recital 109: Standard data protection clauses
- Recital 110: Binding corporate rules
- Recital 111: Exceptions for certain cases of international transfers
- Recital 112: Data transfers due to important reasons of public interest
- Recital 113: Transfers qualified as not repetitive and that only concern a limited number of data subjects
- Recital 114: Safeguarding of enforceability of rights and obligations in the absence of an adequacy decision
- Recital 115: Rules in third countries contrary to the Regulation
- Recital 116: Cooperation among supervisory authorities
- Recital 117: Establishment of supervisory authorities
- Recital 118: Monitoring of the supervisory authorities
- Recital 119: Organisation of several supervisory authorities of a Member State
- Recital 120: Features of supervisory authorities
- Recital 121: Independence of the supervisory authorities
- Recital 122: Responsibility of the supervisory authorities
- Recital 123: Cooperation of the supervisory authorities with each other and with the Commission
- Recital 124: Lead authority bregarding processing in several Member States
- Recital 125: Competences of the lead authority
- Recital 126: Joint decisions
- Recital 127: Information of the supervisory authority regarding local processing
- Recital 128: Responsibility regarding processing in the public interest
- Recital 129: Tasks and powers of the supervisory authorities
- Recital 130: Consideration of the authority with which the complaint has been lodged
- Recital 131: Attempt of an amicable settlement
- Recital 132: Awareness-raising activities and specific measures
- Recital 133: Mutual assistance and provisional measures
- Recital 134: Participation in joint operations
- Recital 135: Consistency mechanism
- Recital 136: Binding decisions and opinions of the Board
- Recital 137: Provisional measures
- Recital 138: Urgency procedure
- Recital 139: European Data Protection Board
- Recital 140: Secretariat and staff of the Board
- Recital 141: Right to lodge a complaint
- Recital 142: The right of data subjects to mandate a not-for-profit body, organisation or association
- Recital 143: Judicial remedies
- Recital 144: Related proceedings
- Recital 145: Choice of venue
- Recital 146: Indemnity
- Recital 147: Jurisdiction
- Recital 148: Penalties
- Recital 149: Penalties for infringements of national rules
- Recital 150: Administrative fines
- Recital 151: Administrative fines in Denmark and Estonia
- Recital 152: Power of sanction of the Member States
- Recital 153: Processing of personal data solely for journalistic purposes or for the purposes of academic, artistic or literary expression
- Recital 154: Principle of public access to official documents
- Recital 155: Processing in the employment context
- Recital 156: Processing for archiving, scientific or historical research or statistical purposes
- Recital 157: Information from registries and scientific research
- Recital 158: Processing for archiving purposes
- Recital 159: Processing for scientific research purposes
- Recital 160: Processing for historical research purposes
- Recital 161: Consenting to the participation in clinical trials
- Recital 162: Processing for statistical purposes
- Recital 163: Production of European and national statistics
- Recital 164: Professional or other equivalent secrecy obligations
- Recital 165: No prejudice of the status of churches and religious associations
- Recital 166: Delegated acts of the Commission
- Recital 167: Implementing powers of the Commission
- Recital 168: Implementing acts on standard contractual clauses
- Recital 169: Immediately applicable implementing acts
- Recital 170 : Principle of subsidiarity and principle of proportionality
- Recital 171: Repeal of Directive 95/46/EC and transitional provisions
- Recital 172: Consultation of the European Data Protection Supervisor
- Recital 173: Relationship to Directive 2002/58/EC
GDPR
- ▼Chapter 1 – general provisions (4)
- ▼Chapter 2 – principles (7)
- Article 10 – Processing of personal data relating to criminal convictions and offences
- Article 11 – Processing which does not require identification
- Article 5 – Principles relating to processing of personal data
- Article 6 – Lawfulness of processing
- Article 7 – Conditions for consent
- Article 8 – Conditions applicable to child’s consent in relation to information society services
- Article 9 – Processing of special categories of personal data
- ▼Chapter 3 – rights of the data subject (24)
- Article 12 – Transparent information, communication and modalities for the exercise of the rights of the data subject
- Article 13 – Information to be provided where personal data are collected from the data subject
- Article 14 – Information to be provided where personal data have not been obtained from the data subject
- Article 15 – Right of access by the data subject
- Article 16 – Right to rectification
- Article 17 – Right to erasure (‘right to be forgotten’)
- Article 18 – Right to restriction of processing
- Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
- Article 20 – Right to data portability
- Article 21 – Right to object
- Article 22 – Automated individual decision-making, including profiling
- Article 23 – Restrictions
- ▼Chapter 4 – controller and processor (40)
- Article 24 – Responsibility of the controller
- Article 25 – Data protection by design and by default
- Article 26 – Joint controllers
- Article 27 – Representatives of controllers or processors not established in the Union
- Article 28 – Processor
- Article 29 – Processing under the authority of the controller or processor
- Article 30 – Records of processing activities
- Article 31 – Cooperation with the supervisory authority
- Article 32 – Security of processing
- Article 33 – Notification of a personal data breach to the supervisory authority
- Article 34 – Communication of a personal data breach to the data subject
- Article 35 – Data protection impact assessment
- Article 36 – Prior consultation
- Article 37 – Designation of the data protection officer
- Article 38 – Position of the data protection officer
- Article 39 – Tasks of the data protection officer
- Article 40 – Codes of conduct
- Article 41 – Monitoring of approved codes of conduct
- Article 42 – Certification
- Article 43 – Certification bodies
- ▼Chapter 5 – transfers of personal data to third countries or international organisations (7)
- Article 44 – General principle for transfers
- Article 45 – Transfers on the basis of an adequacy decision
- Article 46 – Transfers subject to appropriate safeguards
- Article 47 – Binding corporate rules
- Article 48 – Transfers or disclosures not authorised by Union law
- Article 49 – Derogations for specific situations
- Article 50 – International cooperation for the protection of personal data
- ▼Chapter 6 – independent supervisory authorities (18)
- Article 51 – Supervisory authority
- Article 52 – Independence
- Article 53 – General conditions for the members of the supervisory authority
- Article 54 – Rules on the establishment of the supervisory authority
- Article 55 – Competence
- Article 56 – Competence of the lead supervisory authority
- Article 57 – Tasks
- Article 58 – Powers
- Article 59 – Activity reports
- ▼Chapter 7 – cooperation and consistency (34)
- Article 60 – Cooperation between the lead supervisory authority and the other supervisory authorities concerned
- Article 61 – Mutual assistance
- Article 62 – Joint operations of supervisory authorities
- Article 63 – Consistency mechanism
- Article 64 – Opinion of the Board
- Article 65 – Dispute resolution by the Board
- Article 66 – Urgency procedure
- Article 67 – Exchange of information
- Article 68 – European Data Protection Board
- Article 69 – Independence
- Article 70 – Tasks of the Board
- Article 71 – Reports
- Article 72 – Procedure
- Article 73 – Chair
- Article 74 – Tasks of the Chair
- Article 75 – Secretariat
- Article 76 – Confidentiality
- ▼Chapter 8 – remedies, liability and penalties (8)
- Article 77 – Right to lodge a complaint with a supervisory authority
- Article 78 – Right to an effective judicial remedy against a supervisory authority
- Article 79 – Right to an effective judicial remedy against a controller or processor
- Article 80 – Representation of data subjects
- Article 81 – Suspension of proceedings
- Article 82 – Right to compensation and liability
- Article 83 – General conditions for imposing administrative fines
- Article 84 – Penalties
- ▼Chapter 9 – provisions relating to specific processing situations (7)
- Article 85 – Processing and freedom of expression and information
- Article 86 – Processing and public access to official documents
- Article 87 – Processing of the national identification number
- Article 88 – Processing in the context of employment
- Article 89 – Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- Article 90 – Obligations of secrecy
- Article 91 – Existing data protection rules of churches and religious associations
- ▼Chapter 10 – delegated acts and implementing acts (2)
- ▼Chapter 11 – final provisions (6)
- ►Recitals (173)